Releases: manfredsteyer/angular-oauth2-oidc
17.0.2
- chore: Update jsrsasign due to CVE-2024-21484 Marvin attack of RSA and RSAOAEP decryption #1393
15.0.0
12.1
12.0.0
12.0.0
Bug Fixes
- #728 (51e438a), closes /github.com/manfredsteyer/angular-oauth2-oidc/issues/728#issuecomment-808969225
- clear location.hash only if it is present (c2b2753), closes #970
- correctly handle ? and & in location replacements (70fd826)
- Disable nonce validation for id token for e2e tests (f5bd96c)
- fix scope/state removal for implicit flow with hash (9e257d0)
- in code flow pass options to error handler (c9a2c55), closes #972
- jwks: update jsrsasign dependency to 10.2.0 (a05bd8a), closes #1061
- multiplying calls to token endpoint in code flow (59f65d2)
- Refresh tokens with a plus sign get corrupted before sending to token endpoint (2204c5a)
- revoketokenandlogout: 'customParameters' should accept boolean (9761bad)
- While Using POPUP mode, we click on login button multiple time it opens multiple popup instead of focusing already opened (bbff95b)
Features
- introduce DateTimeProvider (0c0a4a7)
- logout: postLogoutRedirectUri should not default to redirectUri (ff7d1d9)
- support JWT response on userinfo endpoint (da16494)
- Custom grant type added (#919)
- Listen for storage to receive auth hash from popup (#935)
- Add event for unchanged session (#936)
- Add loginHint to codeFlow (#938)
- Add a windowRef option to initLoginFlowInPopup to prevent the window from beeing blocked by popup blockers (#965)
- Use configured revocationEndpoint by default (#1020)
Thanks to all the contributors: Miguel Serra, Manuel Rauber, Frank Rosner, Everson R R Moura, meysam gheysaryan, Nikolay, Patrick Westerhoff, Jonathan Yee, Flofie, Dirk Bolte, Sebastian Abshoff, Paweł Dymiński, Bala Charan Nihanth Mutluru, Torkill Strømmen, codeepic, sven-codeculture, Mohamed AbdelAal, Chaz Gatian, Réda Housni Alaoui, huy2nhan, Lin Jie, Taras Krasnytsia, Josselin Francois Downey, BobCui, Mike, Jeroen Heijmans, coyoteecd
Special Thanks to the one and only Jeroen Heijmans for moderating the forum/ issues.
10.0.0
- Tested with Angular 10
- Details: see changelog.md
9.2.0
9.1.0
Features
- automatic silent refresh: stopAutomaticRefresh stops all timers. (8ab853b)
- code-flow: allow using silent refresh by setting useSilentRefresh to true (93902a5)
- sample: Also use new Identity Server 4 for implicit flow demo to prevent issues with same site cookies (58c6354)
- session checks: Session checks work now for code flow too. Please see docs for details. (4bf8901)
Bug Fixes
- code flow: Fixed code flow for IE 11 (0f03d39)
- sample: use hash-based routing (3f44eca)
- session state: save session_state also when using code flow (8fa99ff)
- state: passing an url with a querystring as the state, e. g. url?x=1 (71b705c)
- #687 (e2599e0)
- missing HttpModule dependency (7eac8ae)
- run tokensetup outside ngzone (07bb62d)
- typo (3d331f2)
Pull Requests
- Update sample app and silent-refresh.html script #755, linjie997
- Add optional state parameter for logout, pmccloghrylaing
- fix customHashFragment usage in tryLoginCodeFlow, roblabat
- replace document with injectionToken #741, d-moos
- Support predefined custom parameters extraction from the TokenResponse, vdveer
- Fixed not working silent refresh when using 'code' #735, ErazerBrecht
Thanks
Big Thanks to all contributers: Brecht Carlier, Daniel Moos, Jie Lin, Manfred Steyer, Phil McCloghry-Laing, robin labat, vdveer
Also, big thanks to jeroenheijmans for doing an awesome job with moderating and analyzing the issues!
9.0.0
New Features/ Merged PRs
- ~ 50% less bundle size for code flow (recommended flow) due to putting non-treeshakable code only needed for implicit flow (not recommended anymore) into an lib of its own (see breaking change, below)
- New demo-project quickstart-demo shows most important aspects for code flow
- Angular 9 upgrade #718, jeroenheijmans
- Fix for issue 661 #720, mike-rivera
- Set userinfoEndpoint if userinfo_endpoint not exists #685, luciimon
- Add more types in OAuthService #684, vadjs
- Fix destroying route via silentRefresh when using hash strategy (Issue 277) #672, tpeter1985
- Clean up more resources in ngOnDestroy #666, Andreas-Hjortland
- Fix positioning of popup login window #664, Andreas-Hjortland
- Fixed not using config.openUri in code flow #660, axle-h
- Merge pull request #656 from dirkbolte/improve-error-for-missing-endpointUrl, dirkbolte
- Add more guides on another way to use loadDiscoveryDocumentAndTryLogin #648, jonyeezs
- Added popup related error handling for implicit grant, dekundu
- Support hash location strategy with code flow #634, gingters
- Unsubscribe from 'token_received' events before re-subscribing #630, l1b3r
- Correct implementation of rfc7636 section 4.1 #629, jfyne
- During session check, ignore messages with irrelevant origin #617, Maximaximum
- Allow clockSkewInSec to be different from 600 #615, vdveer
- Fixing disableAtHashCheck, not being recognized correctly #613, dorianweidler
- Add support for code flow silent-refresh and popup #609, KevinCathcart
- Always set expiration timers for valid token types #597, harmpauw
- Validate self when calling crypto provider #588, ryanmwright
- Removed duplicated condition for allowedUrls during interceptor logic and make it optional #584, adrianbenjuya
- Add CryptoHandler to public api. #583, Chris3773
Big Thanks to all Contributers
adrianbenjuya, Andreas-Hjortland, axle-h, Chris3773, dekundu, dirkbolte, dorianweidler, gingters, harmpauw, jeroenheijmans, jfyne, jonyeezs, KevinCathcart, l1b3r, luciimon, Maximaximum, mike-rivera, ryanmwright, tpeter1985, vadjs, vdveer
Also, big thanks to jeroenheijmans for doing an awesome job with moderating and analyzing the issues.
You all rock!
Resolved Bugs
- AutoSilentRefresh doesn't work after refresh the page bug #444
- Event type 'received_first_token' is never fired bug #564
- loadUserProfile will return roles of last user if current user has no roles assigned bug investigation-needed #580
- OAuthResourceServerConfig: customUrlValidation not used when allowedUrls not set bug future-version pr-welcome #593
- Url Helper Service should not discard question marks when parsing hash fragment bug investigation-needed #604
- Code Flow erroring out due to multipe expiry events bug pr-welcome #632
- Emit token_expires if token has already expired bug #637
- Unhandled Promise rejection: Failed to read the 'sessionStorage' property from 'Window': Access is denied for this document bug #641
- postMessage interfering issue bug #657
- Does Authorization Code Flow work with loadDiscoveryDocumentAndLogin(); bug #661
- Refresh timer not started after page reload bug investigation-needed #683
- refresh with code flow bug #688
- Debug mode with custom Logger breaks bug pr-welcome #709
- tryLoginCodeFlow Removing ? from URL Which is Invalid bug investigation-needed
Breaking Changes
With regards to tree shaking, beginning with version 9, the JwksValidationHandler has been moved to a library of its own. If you need it for implementing implicit flow, please install it using npm:
npm i angular-oauth2-oidc-jwks --save
After that, you can import it into your application by using this:
import { JwksValidationHandler } from 'angular-oauth2-oidc-jwks';instead of that:
import { JwksValidationHandler } from 'angular-oauth2-oidc';Please note, that this dependency is not needed for the code flow, which is nowadays the recommended flow for single page applications. This also results in smaller bundle sizes.
Bugfix
Code + PKCE
Features
- Tested with Angular 8
- Code Flow + PKCE (RFC 7637) to align with OAuth 2.0 Security Best Current Practice
- Support for refresh_token and automatic refresh when using Code Flow
- See mentioned Best Current Practices document for things to consinder
More information about this can be found in the docs:
- https://manfredsteyer.github.io/angular-oauth2-oidc/docs/additional-documentation/code-flow-+-pcke.html
- https://manfredsteyer.github.io/angular-oauth2-oidc/docs/additional-documentation/refreshing-a-token.html
PR
Big thanks to all contributors for providing 21 PRs for this release! You all are awesome!!!
Proposal: Add implicit flow through popup
#468 by leonardochaia
Improve default oauth interceptor investigating
#515 by simonmulser was merged
feat: Upgrade to angular 8
#573 by killzoner was merged
Improve documentation for events
#520 by jeroenheijmans
Added customUrlValidation
#331 by vytautas-pranskunas-
Properly implements openUri for implicit flow
#369 by nhance was merged
Refresh the timers after configuration has changed
#382 by FabienDehopre
Cleanup timers when OAuthService is destroyed
#463 by leonardochaia
Fixed HTTPS error messages in service
#510 by bobvandevijver
Calculate the timeout using now as a reference
#487 by filipvh
Add documentation about configuring custom OAuthStorage
#512 by dennisameling
update README re: discovery doc validation disabling
#521 by cconcannon
optionally use crypto to generate nonce
#540 by ChristianMurphy
Pause silent refresh if user has logged out
#526 by l1b3r
Skip issuer check in processIdToken if skipIssuerCheck is true
#527 by ismcagdas
Corrects how localStorage could be used
#533 by ManuelRauber
Add noPrompt parameter to setupAutomaticSilentRefresh method
#536 by remiburtin
feature: Abort current implicit flow
#537 by enricodeleo
Fix spelling mistake
#544 by peterneave
Only present the sendAccessToken interceptor mechanism in the Readme
#554 by nhumblot
Added clock skew parameter
#569 by nenadmaricic